Thoughts on Portal from Level 2 Support
twcornwe 0600025RJ4 Tags:  urp reserved label url_mapping ambiguity keyword conflict mapping codecs url name 6,399 Views
In some cases, when you attempt to create a URL mapping and use certain label name (for example, "pw"), you get an exception such as: "EJPEC0910E: AbstractMappingURLCommand: label pw is invalid."
As documented in the section "The administrative model of URL Mapping" of the IBM Websphere Portal v7 wiki, a label must not have the same name as the URL codecs that are used in Portal because that would introduce an ambiguity when parsing the complete URL.
The reserved names are mentioned in the IBM Websphere Portal v7 wiki on this page:
The list contains these reserved names:
base64xml, b0, b0_1, b0_2, b0_3, b1, b2, b3, c0, c0_1, c0_2, c1, c2, c3, c4, c4_1, c4_2, c4_3, c5, c6, c7, cxml, cxmld, cxml_1, cxml_2, d0, d1, d2, d3, d4, d5, delta, dl2, dl3, dl4, kcxml, nm1, nm2, nm3, nm4, pw, resource, sel, vp, wml
If you are having the same issue with some label names not in this list, please report them to IBM Websphere Portal support via a PMR for further investigation.
twcornwe 0600025RJ4 Tags:  unencrypted encrypted url protected login auto-login authentication secured sniff password 16,911 Views
Login URL overview:
WebSphere Portal 6.0 and later offer the ability to login to the Portal using a specially crafted user of the following format:
A full example of this URL in use would be:
This URL does not bypass normal authentication mechanisms. The username and password are passed along the PUMA, WAS, and VMM/WMM layers as would occur with a normal login via the login portlet. Once authentication completes, users will be redirected to the first page which they have authorization to access (for example, the Getting Started page). The login URL offers a means of convenience for Portal administrators to bookmark their sites and automatically login each time. Other applications also make use of this URL; Rational Application Developer, for example, uses this same URL when invoking the Portal Admin Console. This login URL can also offer a potential means for Portal adminsitrators to access the Portal Admin console if unable to do so via normal means (i.e. the login portlet, theme, etc. are not functioning correctly). Namely, you can enter the following URL:
...which should in turn bring the Portal administrator to the Administration area without ever accessing the login portlet. There are many other uses of the login URL, and these example illustrate a few of the more common use cases.
Using the Login URL over the internet:
A STRONG warning should be given for the utilizing this URL over the internet. The existing URL by itself is unencrypted with the http protocol. Using software such as Fiddler (http://www.fiddler2.com/) or WireShark (http://www.wireshark.org/), it is trivial to sniff the unencrypted http URL and thereby obtain a valid username and password into the Portal system. Therefore, it is recommended to secure this URL if it will be sent over an unsecure network (such as the internet) prior to arriving at the Portal server.
Although there are means to force the WebSphere Portal login portlet to use a secureURL when authenticating users, that same option is not available for the login URL. The login URL can be encrypted with SSL security. However, if this is enabled, then the entire Portal site must also be enabled with SSL, which may not be desirable. If utilizing a web server to access the Portal, such as IBM HTTP Server, it may be possible to include a mod_rewrite rule to force this specific URL over SSL, while all other requests would be permitted over HTTP. However, note this should only be used as a failsafe. Meaning, if a user accesses the login URL over the internet, and accidentally sends the request over HTTP, then the username and password would already be sent in the clear prior to it ever reaching the web server and/or Portal server. The web server with the mod_rewrite rule could reject such requests over HTTP, but, the action would have already been committed and the username and password already potentially sniffed off the network. The web server can still act as a failsafe, but, the client-side must be updated to ensure the first request sent out is not sent out in the clear.
Therefore, if using the auto-login URL, on the client-side, whether it be via a web browser, a custom application, etc., be SURE to utilize the auto-login URL over SSL as a best practice.
Disabling the Auto-login URL
The automagic login URL may be disabled in Portal 8001 cumulative fix 12 or later, or, any version of Portal 8.5.. To do so:
i. Login to the WebSphere Administration Console
If you are not on one of these versions of Portal and need to block the auto-login URL, utilize a rewrite rule on your web server.